What is Risk?

Risk is the potential for damage or loss of an asset. For any organization, risk is the “so what?” for why any potential undesirable event should be addressed, or the way to determine an event is not truly a concern for the organization.

Click a topic below, to get a deeper understanding of risk, it’s impact and how it is measured.

Security inspection using CounterMeasures on a tabletEnterprise Risk Management (ERM) is all about understanding and managing the impact that threats and hazards have on your operations. ERM begins with an analysis of your business’ assets, business processes, and threat environment and then allows you to use your resources most effectively to minimize the losses to your operations. It’s an overall process to help you gain more insight into the relationships between threats, vulnerabilities, and hazards so you can develop smarter, safer courses of action that will benefit both you and your customers. It’s very hard to run a successful business without a strong focus on ERM. After all, a winning business plan can’t maximize profits without minimizing losses.

Successful ERM can involve many different areas of your company including security, safety, and compliance. Thankfully, these are all areas where CounterMeasures.com offers a technology solution and more. With CounterMeasures web-ERM software, you can mind your business and your budget while getting up and running with the world’s leading Enterprise Risk Management solution.

With ERM solutions from CounterMeasures.com, you’ll streamline and automate assessment, analysis and reporting processes, which allows you to give everyone in your company a view of their portion of the company’s risk profile. Then, CounterMeasures provides deeper analysis and insight into possible remediation actions. Keep everyone focused on getting new customers while keeping the ones you already have happy.

Risk level status indicatorRisk level is a combination of two factors:

  • Impact of loss -The value placed on that asset by its owner and the consequence of an undesirable event on that asset.
  • Probability of undesirable event -The likelihood that a specific vulnerability will be exploited by a particular threat.

Risk only occurs when you have a marriage between threats and vulnerabilities.
Without one or the other, you would not be at risk.

Example: If you don’t fly—you don’t run the risk of an airline hijacking. Some people now don’t feel as though it is worth the risk, so they are eliminating the risk by taking away the vulnerability. Threat still exists but there will be no impact if you are not aboard when it happens.

Loss is how one measures risk.

A loss expectancy calculates expected loss due to the impact of threats on an asset’s vulnerabilities. Two ways to define loss expectancy are:

  • Single Loss Expectancy (SLE) is the expected loss to assets due to a single instance of a threat successfully exploiting an asset’s vulnerability. In mathematical terms, it is the asset value multiplied by the system’s vulnerability level and the threat harmony value.
  • Annual Loss Expectancy (ALE) is the expected loss to an asset over a year period. In mathematical terms, it is calculated by multiplying an asset’s SLE by a threat multiplier, which is a numerical expression of how probable it is that a threat will successfully exploit an assets vulnerability during a particular time period.
Impact iconImpact is the amount of loss or damage that can be expected, as may be influenced by time or other factors.

  • Manifested Threats + Vulnerability to those threats = Impact on Assets

CounterMeasures addresses loss as one or more categories for management purposes. Destruction and denial of service apply to both physical security and information security areas. Disclosure and distrust are generally applied only to information security areas.

Loss can be further calculated into 4 different categories of impact.

  • Destruction (Complete loss)
  • Denial of Service (Not available)
  • Disclosure (Confidentiality lost)
  • Distrust (Available but questionable)
Asset vaultAn Asset is anything of value or worth protecting. This does not mean only physical items. In many organizations, assets include intangible items such as data, reputation, good will, trust, and morale. The asset may have value to an adversary, as well as to the owner, although the values may differ.

Assets are wide-ranging and can include:
• Equipment
• Proprietary information
• Facilities
• Processes
• Operations
• People
• Trade Secrets
• Anything deemed valuable to the adversary

Building in target crosshairs

Vulnerabilities are weaknesses that can be exploited by an adversary to gain access to an asset. If we didn’t have vulnerabilities, we wouldn’t be concerned about threats or security posture.

Vulnerabilities include susceptibility to:
• Unauthorized access
• Natural hazards
• Unstable power
• Terrorist activity
• Fire
• Theft
• Intelligence gathering

We can calculate vulnerabilities. The calculation is based on what countermeasures you have “in place.” By “in place” we mean that it is currently implemented—not planned, not projected—but actually there and working.

Our desire is for an acceptable level. You can never attain zero vulnerabilities simply because all countermeasures have vulnerabilities themselves. For example, we use passswords for security, but undermine that security by writing down passwords, using obvious passwords, failing to change passwords, or letting others watch while typing.

There are all kinds of vulnerabilities with every countermeasure. The goal is to minimize impact of threat and get vulnerabilities down to a level of risk that we can accept.

Risk AnalysisIn recent years, it has become widely accepted that the most cogent way to calculate risk is using the formula: I x (T x V) = R, where I is impact on assets, T is threat, and V is the vulnerability of those assets to various threats. Most risk assessment methodologies depart sharply after this point, because many depend heavily upon the observations or subjective knowledge of the assessor, which can vary widely.

CounterMeasures Risk Analysis software products and services provide a pedigreed, highly standardized, and objective process to measure each part of the calculation quantifiably. The formulae used in CounterMeasures originated in the Department of Defense (DoD) and was aligned with the National Institute of Standards and Technology (NIST) 800-53 approved calculation for Risk in 2000. Since that time, the risk calculations have been reviewed and approved by US STRATCOM for use across all DoD agencies. It was reviewed by US Department of Homeland Security (DHS) National Protection Programs Directorate (NPPD) and is an approved methodology for commercial infrastructure risk assessments. DHS Science and Technology (S&T) Directorate has reviewed and approved the methodogy and calculations for state, county, and municipality security risk assessments.

Risk is a combination of vulnerability and threat(s). For any given applicable threat/vulnerability pairing, the formula used to calculate risk (Asset Loss) in CounterMeasures is as follows:


THV = Threat Harmony Value (25 to 100%) The higher the percentage, the greater the impact of the threat on the vulnerability area it is paired with.
VULLEVEL = Vulnerability Level (11 to 100%) The higher the percentage, the greater the threat impact on assets.
ACCOST = Asset Category Cost. The calculation uses the median of a range of cost for an asset category.

CounterMeasures risk analysis process

The process of evaluating threat to and vulnerabilities of an asset to give an expert opinion on the probability of loss or damage and its impact.

The assessment establishes the basis for countermeasure recommendations.

Risk Analysis Process

Risk Analysis Bars

“Risk Analysis” is an analytical process designed to provide an understanding of vulnerabilities and how potential threats may exploit those vulnerabilities. Analysis quantifies vulnerabilities, risk, and loss, presenting an objective representation of a system’s security posture. The process includes the quantification of the probabilities and expected consequences for identified risks.

Risk analysis is a continuous process. Threat environments and countermeasures are constantly changing. Any risk analysis needs to be constantly updated to reflect the changing environment.

Considerable intelligence must be built into any analysis program to ensure that it has the ability to determine what countermeasures, vulnerabilities, threats, and asset categories apply to the surveyed entity. A good analysis program can automatically determine the applicable rules and regulations and associated countermeasures.

Using CounterMeasuresAlion’s technical approach to risk assessment is based on a well-defined, time-tested, and highly standardized process. We have been able to make Risk Assessments a source of supportable and reliable data which can be used by the organization to mitigate and manage risk based on real, up-to-date information. We accomplish this by identifying and standardizing the critical steps defined by the assessment methodology, to direct the most important areas and processes to assess, determining how to feed data into the Threat x Vulnerability x Consequence = Risk (T x V x C = R) calculation, and providing outputs which clearly identify Risk and the means to mitigate or reduce risk.

Any practitioner who has conducted risk analyses before, perhaps by hand, will notice that the process is not so different from what you already know. It is the software that helps you to complete the task thoroughly, with relative ease, and with confidence in the results.

Customer Support

Now that you’ve learned a bit about risk and its elements, reach out to an Alion CounterMeasures risk expert, to see how we can help achieve your compliance and risk reduction goals.

Do you already know what you want? Why wait? You can start using one of our tools today!